For that matter, Xorg didn’t handle this either, DEs or WMs did.

That’s not a Wayland issue, that’s a compositor issue. Sway for example allows mapping apps to workspaces.

The requirements asked for a web UI. You are right though, except for that, other kind of shared folder solutions might work.

Wordpress has become an all-purpose CMS known security vulnerabilities via unsafe plugins.

Ghost has APIs instead of plugins for nearly everything, so it eliminated a lot of security and maintenance headache that way.

Ghost focuses on just a few features centered around independent content creators: blogging, email newsletters and subscriptions.

So features for sending bulk emails and accepting payments are built in, but you won’t find native support for other things like podcasts or recipe markup.

Ghost meets my need, and I love not dealing with 30 plugins at risk of being exploited if I don’t upgrade them promptly.

Exactly. It’s not just downtime to worry about, either. It’s disks filling up. It’s hardware failure. It’s DNS outages. It’s random DDoS attacks. It’s automated scans of the internet targeting WordPress. It’s OS, php and database upgrades. It’s setting up graphing, monitoring, alerting and being on-call 24/7 to deal with the issues that come up.

If these businesses are at all serious, pay for professional hosting and spend your time running the business.

I think there is a catch-22.

pg_dump needs to connect to a running PostgreSQL instance.

But if you upgrade the binaries and try to start up, you can’t because the old data format doesn’t work. Because you can’t start up, pg_dump can’t connect.

I’ve spend more than a decade supporting both Postgres and MongoDB in production.

While they each have quirks, I prefer the quirks of Postgres.

I just spent a massive amount of time retooling code to deal with a MongoDB upgrade. The code upgrade is so complex because that’s where the schema is defined. No wonder MongoDB upgrades are easier— the database has externalized a lot of complexity that now becomes some coders problem to deal with.

For minor version upgrades, the database remains binary compatible. Nothing to do.

The dump/restore required during major upgrades allows format changes which enable new features and performance improvements without dragging around cruft forever to stay backwards compatible.

For professionals running PostgreSQL clusters in production there is a way to cycle in the new server version with zero user-visible downtime.

https://www.cloudns.net/ Makes dynamic DNS very easy.

This is the day after iOS 18.2 was released with native ChatGPT integration.

We had two female black cats named Midnight and Luna,

When guests would come over ask about our young children about the cats, a child would explain to the adult guests that Midnight and Luna were our ladies of the night, explaining that Luna means moon.

This went on for years.

It’s so old it’s not called self-hosted.

Moneydance https://moneydance.com/

Started using it close to twenty years ago and keep using it because it seems fine.

A content management system admin? Painful.

At one time there were browser extensions that allowed you to comment on any web page and allowed other extension users to see your comments.

The comments were hosted through the extension and not on the pages themselves.

Something like that would be possible but I don’t know anyone offering it now. I presume no one wants to moderate that.

I had a friend who liked to sulk around in a trench coat. He bought a grocery store donut and promptly tossed the receipt.

He was soon stopped by grocery security for theft. After some hassle they tracked down his receipt and let him go, but yeah that’s what donut receipts are for.

Good example. It’s true that an even a GET request not designed to mutate data might still fail to validate input, allowing a SQL injection attack or other attack that escalates to the privileges that the running app has.

Immich has a whole set of end-to-end automated tests to ensure they don’t accidentally make public any URLs they went to be private:

https://github.com/immich-app/immich/tree/main/e2e/src/api/specs

As a popular open source project, that would be e glaring security hole.

Using this proxy puts the trust in a far less popular project with fewer eyeballs on it, and introduces new risks that the author’s Github account is hacked or there’s vulnerability in he supply chain of this docker container.

It’s also not true that you “never need to touch it again” . It’s based on Node whose security update expire every two years. New image should be built at least every two years to keep to update with the latest Node security updates, which have often been in their HTTP/HTTPS protocol implementations, so they affect a range of Node apps directly exposed to the internet.

Yes, there are broken uses of the HTTP protocol verbs where filtering to GET won’t work.

A simpler way to protect a private service with a reverse proxy is to only forward HTTP GET requests and only for specific paths.

It’s extremely difficult to attack a service with only GET requests.

The security of which URLS are accessible without authentication would be up to immich.